EresusSecurity
Docs menu
ON THIS PAGE
Quickstart

Quickstart

Use Sentinel for local model review, project scans, and CI reporting.

Definition

The quickstart flow verifies installation, scans a small model directory, triages the first finding, and produces an output format that can move into CI/CD.

Install

git clone https://github.com/EresusSecurity/Eresus-sentinel.git
cd Eresus-sentinel
pip install -e ".[dev]"
sentinel doctor

Artifact scan

sentinel artifact model.pt
sentinel artifact ./models/
Example terminal output
Sentinel Artifact Scan
target: ./models/
findings: 2

PICKLE-EXEC        CRITICAL  model.pkl      GLOBAL os.system
SAFETENSORS-MISSING-HASH  LOW  weights.safetensors  no integrity hash in manifest

decision: block release until CRITICAL finding is closed

Project scan

sentinel scan ./project/
sentinel sast ./src/
sentinel secrets-scan ./repo/

How to read the first finding

Operational checklist
  • Record the rule ID; the same ID is used in reports, CI, and retesting.
  • Interpret severity against your release policy; CRITICAL/HIGH is usually blocking.
  • Map evidence to the file name, opcode, AST node, URL, or manifest field.
  • After applying the fix hint, rerun the same command and verify closure.

CI output

sentinel artifact ./models/ -f sarif -o report.sarif
sentinel compliance check . --framework owasp-llm
report.sarif
{
  "version": "2.1.0",
  "runs": [{
    "tool": { "driver": { "name": "Eresus Sentinel" } },
    "results": [{
      "ruleId": "PICKLE-EXEC",
      "level": "error",
      "message": { "text": "Dangerous Pickle Execution" }
    }]
  }]
}
PreviousInstallNextConcepts